Trojan can grab extra personal banking data

Stephen Lawson |
Sept. 29, 2008

A Trojan can add data entry fields to legitimate online banking sites and entice consumers to give up additional information.

SAN FRANCISCO, 26 SEPTEMBER 2008 - A Trojan horse program now available to a growing number of fraudsters can add data entry fields to legitimate online banking sites and entice consumers to give up sensitive information such as bank card numbers and PINs (personal identification numbers).

The Limbo malware integrates itself into a Web browser using a technique called HTML (Hypertext Markup Language) injection, said Uri Rivner, head of new technologies at RSA Consumer Solutions, a division of EMC. Because it's so closely integrated in the browser, it can operate even while the user is at the real bank site and can actually change the layout of that site, he said.

"Nothing tells you that something is wrong here, with one exception: You're being asked to provide some information that you were never asked to do before," Rivner said during a briefing for reporters and analysts earlier this week. "If you are convinced that you are now communicating with the bank, the fraudsters can get away with anything they like."

Limbo can get onto a user's computer through many paths, including both pop-up messages that ask you to download an add-on program and methods that are invisible to the user, he said. They sometimes get on to PCs in conjunction with other phishing attacks.

And like other malware programs, Limbo is becoming available to more fraudsters through an underground market that includes a complex supply chain and falling prices, according to Rivner. Limbo costs about US$350, down from about $1,000 a year ago and $5,000 two years ago, he said.

"The big trend here is that it's becoming affordable," Rivner said.

The online fraud marketplace consists of "harvesters" who collect user information and "cashout" operations that use the information to do whatever has to be done to translate that information into money. For example, harvesters may capture credit-card numbers and cashout operations may use those cards to buy products online, have them delivered to an address, and sell them on the black market, he said. The two classes of fraudsters typically meet and do business with each other in IRC chatrooms and dedicated Web forums, where the most successful fraudsters are the ones who develop a reputation for working reliably and honestly with other participants, Rivner said.

Now, some fraudsters are taking a SaaS (software-as-a-service) approach, selling malware, access to botnets and everything else a person needs to become a harvester of data on unsuspecting consumers, according to Rivner. Having paid the price for this service, the harvesters can then take the identities stolen with it and sell them at a profit. The ease of going into business with this model may dramatically increase the volume of online fraud, he said.